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■  Software  Engineering  Institute  ■ 


Summary  of 
Accomplishments 

This  section  provides  a  summary  of  accomplishments  from  July  —  September  1994. 


The  Software  Engineering  Institute  (SEI) 
hosted  its  annual  Software  Engineering 
Symposium  in  August.  This  year's  theme 
was  "10  Years  of  Improving  the  State  of  the 
Practice."  See  page  30  for  a  summary  of  the 
events. 

The  Empirical  Methods  Project  and  the  Soft¬ 
ware  Process  Measurement  Project, 
completed  a  technical  report  on  organiza¬ 
tional  gains  associated  with  capability 
maturity  model-based  software  process 
improvement.  See  page  35  for  information 
on  how  to  access  the  report,  entitled  Benefits 
of  CMM-Based  Software  Process  Improvement: 
Initial  Results. 

CERT5”  staff  is  developing  a  networked 
information  technology  security  taxonomy 
and  questionnaire  in  collaboration  with  the 
SEI  Risk  Program.  See  page  27  for  more 
information. 

The  Process  Research  Project  announced  the 
availability  of  a  prototype  personal  software 
process  "teach-the-teachers"  course.  The 
course  will  occur  next  quarter  and  will  have 
a  capacity  of  20  students.  For  details  about 


this  offering,  contact  the  SEI  Customer  Rela¬ 
tions  division  (see  page  35  for  contact 
information). 

This  quarter,  systems  engineering  capability 
maturity  model  (SE-CMM)  workshops  were 
held  to  review  the  content  of  successive 
drafts  of  the  SE-CMM  model  description. 
See  page  3  for  details. 

This  quarter,  the  SEI  reached  business 
agreements  for  commercializing  the  SEI- 
developed  SCE  training.  See  page  5  for 
additional  information. 

This  quarter,  members  from  the  Software 
Architecture  Technology  Initiative  Project 
continued  working  on  an  annotated  bibliog¬ 
raphy  of  important  documented  works 
concerning  software  architecture.  See  page  15 
for  details. 

Software  Architecture  Attribute  Engineering 
project  members  completed  the  industry 
review  of  its  structural  modeling  guidebook, 
to  be  turned  over  by  the  Air  Force's  Aeronau¬ 
tical  Systems  Command  Program  Office  for 
Simulators  and  Training  Devices  for  release 
during  the  next  quarter. 
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Software  Process 


The  Software  Process  Program  focuses  on  improving  the  process  of  software  development. 
Projects  within  the  program  are  appraising  and  teaching  others  to  appraise  the  actual  practice  of 
software  engineering  in  the  software  community,  training  organizations  to  gain  management 
control  over  their  software  development  processes,  supporting  the  use  of  quantitative  methods 
and  measures  as  a  basis  for  process  improvement,  and  developing  improved  methods  for 
software  process  management. 


■  Software  Process  Measurement 

The  objective  of  the  Software  Process  Mea¬ 
surement  (SPM)  Project  is  to  promote  and 
improve  the  use  of  measurement  in  manag¬ 
ing,  acquiring,  and  supporting  software 
systems.  The  project  is  formulating  reliable 
measures  of  the  software  development  pro¬ 
cess  and  products  to  guide  and  evaluate 
development.  To  expedite  Department  of 
Defense  and  industry  transition,  the  project  is 
actively  working  with  professionals  from 
industry,  government,  and  academia  in 
encouraging  organizations  to  use  quantita¬ 
tive  methods  to  improve  their  software 
processes. 

This  quarter,  deliveries  of  the  course  "Engi¬ 
neering  an  Effective  Software  Measurement 
Program"  were  presented  on-site  for  two  cus¬ 
tomers.  The  course  has  been  well  attended 
and  well  received  by  the  attendees.  Course 
offerings  were  held  at  the  Army  Missile  Com¬ 
mand  site  and  for  the  U.S.  Marines  at  the 
Quantico  site. 

The  technical  report  Benefits  of  CMM-Based 
Software  Process  Improvement:  Initial  Results 


was  completed  and  distributed  at  the  1994 
Software  Engineering  Institute  (SEI)  Software 
Engineering  Symposium.  The  authors 
included  members  of  the  SPM  and  Empirical 
Methods  Projects. 

Two  project  members  held  a  planning  session 
for  fiscal  year  1995  with  the  U.S.  Treasury  cus¬ 
tomer  in  early  August.  In  support  of  the 
continued  effort  with  U.S.  Treasury,  one 
project  member  has  completed  a  draft  of 
quality,  testing,  and  release  measures. 

The  project  leader  chaired  a  measurement 
panel  session  for  the  1994  SEI  Software  Engi¬ 
neering  Symposium.  The  panelists  included 
representatives  from  Hughes,  Motorola, 
Naval  Undersea  Warfare  Center,  and  the  SEI. 
Another  member  of  the  project  hosted  a 
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birds-of-a-feather  session  on  cost  estimating 
improvement  at  the  symposium. 

An  SPM  project  member  completed  a  draft  of 
cost,  schedule,  and  size  estimating  processes, 
guidelines,  and  templates.  This  project  mem¬ 
ber  also  met  with  representatives  of  Texas 
Instruments  and  Electronic  Data  Systems, 
Inc.  to  provide  them  with  information  on 
SPM  efforts  to  assemble  guidelines,  criteria, 
and  templates  and  to  solicit  their  inputs  on 
the  SEI  cost  estimating  efforts. 

Several  goals  were  met  this  quarter  in  sup¬ 
port  of  the  Defense  Information  Systems 
Agency /Center  for  Information  Manage¬ 
ment  (DISA/CIM)  technical  objectives  and 
plans  (TO&P).  Two  staff  members  completed 
a  draft  of  the  technical  report  "The  DISA  Soft¬ 
ware  Measurement  Pilot:  Lessons  Learned 
Applying  the  SEI  Core  Measures,"  which  was 
delivered  to  DISA  in  July.  A  customer  techni¬ 
cal  review  as  well  as  an  internal  project 
technical  review  was  held  on  the  DISA  mea¬ 
surement  phot  technical  report.  A 
teleconference  was  held  in  August  to  discuss 
FY95  support  with  DISA  and  all  of  the  pilot 
project  site  champions.  And  in  September,  a 
pilot  project  working  group  meeting  was 
held  to  discuss  and  summarize  the  conclu¬ 
sion  of  the  pilot  project  effort. 

A  new  TO&F  agreement  was  signed  with 
Defense  Finance  and  Accounting  Services. 
An  SPM  project  member — the  leader  for  this 
new  effort — held  a  kick-off  meeting  at  the 
customer  site  in  Indianapolis  in  September. 

Two  members  of  the  project  attended  the 
Cooperstown  II  Workshop,  which  was  spon¬ 
sored  by  Lloyd  Mosemann.  One  project 
member  participated  in  Working  Group  1, 


which  provided  an  assessment  of  Order  1  and 
a  set  of  recommendations  for  proceeding 
with  an  Order  2  prototype  repository.  The 
other  project  member  participated  in  Work¬ 
ing  Group  3  to  discuss  the  needs  for  a 
national  center  for  software  data  and  infor¬ 
mation.  To  follow  up,  a  meeting  is  scheduled 
with  Mosemann  at  the  end  of  September  to 
discuss  SEI  support  for  the  national  software 
initiatives. 

With  respect  to  supporting  the  national  soft¬ 
ware  data  and  information  repository 
(NSDIR),  an  SPM  staff  member  worked  with 
members  from  Unisys  in  conducting  phone 
interviews  with  potential  NSDIR  stakehold¬ 
ers  to  better  understand  the  ways  in  which 
they  might  use  an  NSDIR  and  understand  the 
issues  involved  in  establishing  a  viable 
NSDIR.  Much  of  the  interview  content  was 
factored  into  the  NDSIR  Order  I  presentation 
at  Cooperstown  II.  The  SPM  staff  member 
also  worked  with  Unisys  personnel  in  July 
and  August  to  construct  the  briefing  for  a 
Cooperstown  II  presentation,  which  outlined 
NSDIR  strategic  directions.  In  September, 
this  staff  member  participated  in  a  working 
meeting  at  the  Unisys  site  in  West  Virginia  to 
further  define  the  scope  of  the  NSDIR  strate¬ 
gic  plan  and  to  conduct  a  tool  analysis  of 
MAINSTAY,  an  analytical  tool  for  data  analy¬ 
sis  and  presentation. 


■  Capability  Maturity  Models 

The  Capability  Maturity  Models  Project 
maintains  stewardship  over  three  capability 
maturity  models  (CMMs)  that  organizations 
can  use  to  improve  their  capability  to  develop 


■  2  Software  Process 


and  maintain  systems  and  software  products. 
These  are: 

•  Software  capability  maturity  model 
(CMM) 

•  Systems  engineering  capability  maturity 
model  (SE-CMM) 

•  People  management  capability  maturity 
model  (PM-CMM) 

These  models  are  periodically  updated  to 
reflect  evolutions  in  the  state  of  the  art  of  soft¬ 
ware  engineering,  systems  engineering, 
human  resources  development,  total  quality 
management,  and  other  relevant  areas  of 
organizational  improvement.  In  addition,  the 
project  is  involved  in  three  efforts: 

•  Developing  guidance  in  tailoring  each 
model  to  make  it  more  applicable  to  a  par¬ 
ticular  organization,  market  sector,  and 
small  organizations. 

•  Developing,  delivering,  and  licensing 
training  in  the  models. 

•  Participating  in  or  leading  relevant  stan¬ 
dards  development  efforts. 

This  quarter,  progress  was  made  toward 
planning  for  version  2  of  the  CMM  and  in  dis¬ 
seminating  more  practical  information  on  use 
of  the  CMM.  The  CMM  Advisory  Board 
selected  new  members  and  began  discussion 
of  the  technical  approach  to  be  taken  in  the 
development  of  version  2  of  the  CMM.  Two 
articles  were  accepted  for  publication:  (1) 
changes  from  version  1.0  to  1.1  of  the  CMM 
(to  appear  in  CrossTalk),  and  (2)  a  technical 
report  comparing  the  CMM  with  Interna¬ 
tional  Standards  Organization  9001  (accepted 
for  publication  in  IEEE  Software).  A  presenta¬ 


tion  on  the  project's  initial  plans  for  version  2 
of  the  CMM  was  given  at  the  Software  Engi¬ 
neering  Institute  (SEI)  Software  Engineering 
Symposium. 

The  systems  engineering  capability  maturity 
model  (SE-CMM)  effort  was  instituted  in 
August  1993  in  response  to  industry  requests 
for  assistance  in  coordinating  and  publishing 
a  model  analogous  to  the  software  CMM  for 
the  systems  engineering  community.  This 
quarter,  workshops  were  held  to  review  the 
content  of  successive  drafts  of  the  SE-CMM 
model  description.  The  first  workshop  was 
held  in  Pittsburgh  in  July;  the  second  work¬ 
shop  took  place  at  the  Electronics  Industries 
Association  Conference  in  Denver  in  Septem¬ 
ber.  In  preparation  for  the  second  workshop, 
release  2  of  the  SE-CMM  model  description 
was  issued  and  for  this  work,  one  project  par¬ 
ticipant  received  a  best  paper  award  at  the 
National  Council  on  Systems  Engineering 
(NCOSE)  Conference  in  August.  Addition¬ 
ally,  an  overview  of  the  SE-CMM  effort  was 
given  at  the  SEI  Software  Engineering 
Symposium. 

The  people  management  capability  maturity 
model  (PM-CMM)  effort  is  a  continuation  of 
the  human  resources  maturity  model  effort. 
Sponsors  for  continuing  the  effort  were  estab¬ 
lished  late  in  the  second  quarter  of  1994.  The 
purpose  of  the  effort  is  to  enhance  the  readiness 
of  software  development  and  information  sys¬ 
tems  organizations  to  undertake  increasingly 
complex  applications  by  helping  them  attract, 
grow,  motivate,  deploy,  and  retain  the  talent 
necessary  to  improve  their  software  develop¬ 
ment  capability.  Though  targeted  for  the 
software  and  information  systems  communi¬ 
ties,  the  principles  and  many  of  the  practices 
apply  equally  to  systems  engineering.  As  both 
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the  PM-CMM  and  SE-CMM  efforts  proceed, 
closer  synergy  and  compatibility  is  expected 
between  these  two  efforts. 

This  quarter,  the  PM-CMM  advisory  board 
met  and  provided  information  on  best  prac¬ 
tices  in  their  areas  of  expertise  to  help 
elaborate  the  key  practices  (written  at  a  high 
level)  in  version  1  of  the  PM-CMM.  By  the 
end  of  the  quarter,  subpractices  were  written 
for  the  repeatable  maturity  level,  and  internal 
reviews  of  these  began. 

The  project  is  developing  guidance  in  how  to 
tailor  a  capability  maturity  model  to  help 
make  it  more  applicable  to  particular  organi¬ 
zations,  market  sectors,  and  small 
organizations.  Tailoring  is  needed  for  two 
reasons: 

1.  The  degree  to  which  processes,  work 
products,  and  roles  need  to  be  formalized 
differs  according  to  business  need,  type  of 
domain,  and  nature  of  the  organization. 

2,  Special  concerns  (e.g.,  reliability  and  secu¬ 
rity)  require  greater  rigor  in  the  imple¬ 
mentation  of  the  key  process  areas. 

This  quarter,  progress  was  made  in  CMM 
education  and  course  delivery.  A  draft 
instructor's  guide  for  the  "Introduction  to  the 
CMM"  course  was  completed  and  the  newly- 
developed  course  entitled,  "CMM  Train  the 
Trainer"  was  piloted.  This  course  will  aid  in 
transitioning  the  "Introduction  to  the  CMM" 
course  more  broadly.  A  decision  was  made  to 
suspend  development  of  a  CMM  knowledge 
test  to  help  those  who  are  required  to  take  the 
CMM  introductory  course — but  who  already 
have  the  knowledge  covered  by  the  course — 
qualify  without  having  to  take  the  course. 


This  decision  was  based  on  the  small  demand 
for  the  test,  the  beyond-expected  effort 
required  for  such  a  test,  and  the  desire  to 
focus  project  efforts  on  more  mission-critical 
areas.  The  CMM  Advisory  Board  met  to  dis¬ 
cuss  the  content  of  the  "Advanced  CMM" 
course,  now  being  planned  for  development 
in  1995. 

The  SEI  hosted  a  quarterly  meeting  of  Soft¬ 
ware  Process  Improvement  and  Capability 
dEtermination  (SPICE)  at  the  SEI  in  August. 
Also,  the  SEI  continues  in  a  leadership  posi¬ 
tion  both  in  managing  the  SPICE  Project  and 
in  development  of  the  SPICE  baseline  prac¬ 
tices  guide,  whose  purpose  is  to  guide 
process  improvement  and  process  assess¬ 
ment.  Project  members  participated  in 
writing  two  drafts  of  the  baseline  practices 
guide  and  contributed  to  the  development 
and  trials  planning  for  other  components  of 
the  SPICE  product  suite.  In  addition,  one 
CMMs  project  member  has  begun  coordinat¬ 
ing  the  trials  of  the  SPICE  products  in  the  U.S. 
Another  member  of  the  Software  Process  Pro¬ 
gram  has  begun  working  with  international 
colleagues  to  devise  an  appropriate  plan  for 
trial  testing  the  full  suite  of  SPICE  products. 

Also  this  quarter,  discussions  continued  on 
how  to  best  accomplish  architectural  integra¬ 
tion  of  the  three  CMMs.  Project  members  will 
plan  periodic  team  meetings  (consisting  of 
the  leaders  of  all  three  efforts  developing  a 
CMM)  to  discuss  how  the  architectures  across 
models  might  best  be  integrated.  Full  integra¬ 
tion  is  not  expected  until  1996,  at  best,  given 
that  the  different  communities  have  taken 
different  directions  (architecturally)  and  also 
due  to  the  timeframes  of  the  different  efforts. 


■  4  Software  Process 


I  Capability  Maturity  Model-Based 
Appraisal 

The  Capability  Maturity  Model-Based 
Appraisal  (CBA)  project  consists  of  the 
former  Software  Capability  Evaluation  (SCE) 
and  Software  Process  Assessment  Projects. 
The  mission  of  the  CBA  project  is  to  develop, 
transition,  and  support  a  CMM-based 
appraisal  architecture  and  selected  appraisal 
methods  that  are  effective  vehicles  for  meet¬ 
ing  the  needs  of  the  software  community. 
This  merger  was  brought  about  to  better  meet 
community  needs  and  make  more  effective 
and  efficient  use  of  existing  Software  Engi¬ 
neering  Institute  (SEI)  resources. 

The  Common  Rating  Framework  (CRF)  is  a 
framework  for  developing,  defining,  and 
using  appraisal  methods  based  on  the  SEI 
Capability  Maturity  Model  (CMM).  This 
quarter,  an  initial  draft  of  a  document 
describing  the  CRF  was  completed  and  sent 
to  external  reviewers  for  comments. 

This  quarter,  the  SEI  reached  business  agree¬ 
ments  for  commercializing  the  SEI-developed 
SCE  training.  A  joint  agreement  was  reached 
among  the  SEI  and  Abacus  Technology  Cor¬ 
poration  and  the  Institute  for  Software  Process 
Improvement.  An  agreement  was  also  reached 
between  the  SEI  and  Integrated  System  Diag¬ 
nostics,  Inc.  The  SEI  will  retain  the  basic  SCE 
methods  and  frameworks,  including  stan¬ 
dards,  authorization,  assessment  and 
monitoring  of  the  state  of  the  practice.  The  SEI 
will  also  retain  the  right  to  conduct  limited 
training  for  course  development,  and  verifica¬ 
tion  and  validation  as  needed  for  prototyping, 
improving,  and  extending  the  underlying 
technology.  It  is  anticipated  that  the  transfer  of 
the  SCE  training  technology  will  occur  over 
time.  With  the  signed  agreements. 


This  quarter,  field  exercises  for  the  CBA  for 
Internal  Process  Improvement  (IPI)  Method 
were  conducted.  CBA  methods  are  used  for 
appraising  the  software  process  of  an  organi¬ 
zation  to  gain  insight  into  its  software 
development  capability.  The  objectives  of  the 
exercises  were  to  verify  that  requirements 
identified  by  the  SEI  have  been  met  in  the 
new  assessment  method  and  to  validate  that 
customers'  needs  are  satisfied. 

Currently,  the  CBA  Project  is  incorporating 
lessons  learned  from  the  field  exercises  into 
the  CBA  IPI  assessment  method.  CBA  IPI  ver¬ 
sion  1.0  is  scheduled  to  be  released  during  the 
next  quarter. 

This  quarter,  the  following  courses  were 
delivered  by  CBA  project  members:  SCE  v2.0 
Refresher  Training,  SCE  Overview,  SCE  Team 
Training  (including  two  on-site  courses), 
CBA  IPI  Team  Training,  and  CBA  IPI  Lead 
Assessor  training. 


I  Empirical  Methods 

The  Empirical  Methods  (EM)  Project  works 
to  develop  methods  for  generating  informa¬ 
tion  to  guide  and  inform  decisions  regarding 
process  change  and  technology  adoption.  EM 
work  also  addresses  the  state  of  software 
engineering  with  respect  to  process  maturity 
and  the  organizational  impacts  of  software 
process  improvement.  Finally,  EM  provides 
empirical  research  expertise  to  other  efforts 
within  the  Software  Engineering  Institute 
(SEI). 

The  EM  project,  along  with  the  Software  Pro¬ 
cess  Measurement  Project,  completed  a 
technical  report  on  organizational  gains  asso- 
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ciated  with  capability  maturity  model 
(CMM)-based  software  process  improve¬ 
ment.  Benefits  of  CMM-Based  Software  Process 
Improvement:  Initial  Results  contains  general 
results  from  13  participating  software  organi¬ 
zations  and  5  case  studies.  A  summary  of  the 
work  appeared  in  the  September  issue  of 
American  Programmer .  Plans  for  follow-up 
efforts  have  been  developed.  EM  also 
released  the  special  report,  Software  Process 
Maturity  Questionnaire  (MQ  SR).  For  more 
information  on  the  MQ  SR,  contact  the  SEI 
Customer  Relations  Office  (see  page  35  for 
contact  information).  The  MQ  SR  is  also 
available  via  FTP  (see  page  35  for  details  on 
how  to  access  SEI  documents  electronically). 

This  quarter,  progress  was  made  with  the 
CMM  validation  effort.  The  birds-of-a- 
feather  session,  held  at  the  Software  Engi¬ 
neering  Institute  (SEI)  annual  Software 
Engineering  Symposium,  addressed  cus¬ 
tomer  perspectives  for  validating  the  CMM. 
Representatives  from  government  and  indus¬ 
try  attended  the  session  which  resulted  in  a 
list  of  issues  slated  to  be  addressed  in  the 
coming  months. 

The  SEI  continues  to  receive  data  on  the  process 
maturity  of  software  organizations.  The 
software  process  database  now  houses  reports 
from  over  360  software  process  assessments,  11 
interim  profiles,  and  32  appraisals  conducted 
using  other  methods.  Development  work  on  the 
database  focused  on  accommodating  results 
from  the  new  CMM-based  appraisal  internal 
process  improvement  method  and  improving 
the  data  entry  and  reporting  functions.  An 
updated  community  maturity  profile  briefing 
covering  284  software  process  assessments 
conducted  through  the  end  of  1993  was 
presented  at  the  1994  Software  Engineering 


Symposium.  Work  has  begun  on  an  update, 
which  will  be  released  in  October. 

This  quarter,  the  EM  Project  supported  the 
survey  efforts  of  several  other  parts  of  the 
SEI.  These  included  surveys  addressing  cus¬ 
tomers  of  SEI  educational  products,  SEI  sub¬ 
scribers,  the  students  in  the  personal  software 
process  course,  and  evaluations  of  SEI  events. 


■  Process  Research 

The  objective  of  the  Process  Research  Project  is 
to  identify  the  factors  that  limit  the  perfor¬ 
mance  of  software  development  professionals 
by  exploring  the  use  of  software  process  prin¬ 
ciples  by  individuals  and  small  teams.  This 
research  seeks  insight  into  the  processes,  tools, 
and  methods  that  will  be  most  helpful  in 
improving  the  performance  of  software  pro¬ 
fessionals  and  their  organizations. 

As  a  result  of  this  work,  the  project  has  pro¬ 
duced  the  personal  software  process  (PSP). 
The  project  has  shown  that  process  improve¬ 
ment  principles  can  be  applied  to  the  work  of 
individual  software  engineers.  In  several  uni¬ 
versity  courses,  student  data  demonstrate 
that  the  PSP  helps  students  to  substantially 
improve  the  quality  of  their  work,  while  pro¬ 
viding  them  a  sound  method  for  project 
planning  and  management.  Students  and 
engineers  have  reduced  their  numbers  of  test 
defects  by  3  to  10  times  while  improving  their 
productivity.  Engineers  also  find  that  the  PSP 
helps  them  to  plan  and  manage  their  per¬ 
sonal  commitments. 

The  project  continues  to  work  with  academia 
and  industry  on  PSP  introduction  methods. 
The  industrial  track  is  working  with  several 
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software  organizations  on  the  issues,  prob¬ 
lems,  and  benefits  of  using  the  PSP  in  their 
work.  The  academic  track  is  aimed  at  PSP 
introduction  into  university  software  engi¬ 
neering  curricula. 

This  quarter,  work  continued  with  Digital 
Equipment  Corporation  (DEC)  on  introduc¬ 
ing  and  using  the  PSP.  Several  teams  in 
Nashua,  New  Hampshire  are  applying  the 
PSP  to  software  development  and  mainte¬ 
nance.  Early  results  indicate  that  the  PSP  has 
helped  them  to  define  their  work  processes, 
make  meaningful  measurements,  and  use  the 
results  to  better  manage  their  work.  DEC  is 
now  broadening  PSP  introduction  to  other 
divisions. 

The  project  leader  gave  an  additional  9  lec¬ 
tures  in  the  Hewlett  Packard  Corporation 
(HP)  PSP  training  program.  From  the  six  sev¬ 
eral  exercises,  the  19  experienced  engineers 
show  somewhat  lower  initial  defect  levels 
than  the  university  students  but  comparable 
improvement  rates.  As  shown  in  the  next 
table,  the  improvement  rates  for  the  groups 
vary,  but  all  are  significant. 


Total 

Course 

First  Six 
Exercises 

Total 

Course 

First  Six 
Exercises 

Carnegie  Mellon 

60.0 

56.5 

88.9 

6.2 

Embry-Riddle 

Aeronautical 

University 

73.3 

33.6 

62.1 

12.5 

He  wle  tt-Packar  d 

- 

56.6 

— 

47.5 

Industrial  transition  work  continues  with  the 
Advanced  Information  Services  Corporation 
in  Peoria,  Illinois.  The  project  leader  visited 


this  group  in  September  and  interviewed  the 
engineers  who  completed  the  PSP  course. 
They  have  found  the  PSP  materials  help  them 
in  planning  and  managing  their  work  and  in 
coordinating  with  their  customers. 

Because  of  the  rapidly  growing  industrial 
interest  in  the  PSP,  the  SEI  will  not  likely  have 
sufficient  resources  to  train  the  numbers  of 
engineers  industry  will  require.  The  project  is 
therefore  offering  a  prototype  PSP  teach-the- 
teachers  course.  The  objective  is  to  enable 
organizations  to  train  their  own  engineers. 
The  course  is  planned  to  take  place  in  the 
fourth  quarter  of  1994  and  will  have  a  capac¬ 
ity  of  20  students.  In  the  first  week  since  its 
announcement,  16  slots  have  been  reserved. 

Academic  transition  work  continues  with 
1994-1995  school  year  offerings  planned  at 
the  University  of  Massachusetts,  McGill 
University,  Embry-Riddle  Aeronautical 
University  (ERAU),  George  Washington 
University,  and  Carnegie  Mellon  (CMU).  At 
ERAU,  the  PSP  course  is  the  first  required 
course  for  incoming  masters  students  in 
software  engineering.  The  University  of 
Massachusetts  now  also  requires  the  PSP  as 
part  of  one  of  their  masters  in  software 
engineering  programs. 

This  quarter,  the  project  leader  supported 
two  groups  of  students  in  applying  what  they 
learned  from  the  CMU  PSP  course  to  their 
Masters  of  Software  Engineering  develop¬ 
ment  project.  Also  this  quarter,  the  project 
leader  gave  PSP  presentations  to  the  software 
process  improvement  network  groups  in  the 
California  Bay  Area,  Chicago,  Los  Angeles, 
and  Irvine. 

This  quarter,  the  project  leader  presented  the 
Software  Process  Achievement  Award  to  the 
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Software  Engineering  Laboratory  at  the 
National  Aeronautics  and  Space  Administra¬ 
tion,  Goddard.  This  laboratory  is  jointly  oper¬ 
ated  by  NASA  Goddard,  the  Computer 
Sciences  Corporation,  and  the  University  of 
Maryland. 


Software  Process  Reports 

July  -  September  1994 

A  Comparison  of  ISO  9001  and  the  Capability 
Maturity  Model  for  Software 
CMU/SEI-94-TR-12 


Benefits  ofCMM-Based  Software  Process 
Improvement:  Initial  Result 

CMU/SEI-94-TR-13 


This  document  is  available  via  anonymous  FTP  and  through  the  SEI  Mosaic 
page  (www.sei.cmu.edu).  See  page  35  for  additional  information. 


Software  Process  Maturity  Questionnaire 
CMU  /  SEI-94-SR-7 
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Engineering 

Effective  1  July  1994,  the  Software  Engineering  Techniques  (SET)  Program  and  the  Product 
Attribute  Engineering  (PAE)  Program  combined  to  form  the  Engineering  Program.  The 
Engineering  Program  primarily  represents  the  focus  area  described  as  Disciplined  Engineering  of 
Software-Intensive  Systems  in  the  1995  1&5  Year  Plan  [95  1&5].  The  SET  part  of  the  Engineering 
Program  is  focused  on  identifying,  developing,  evaluating,  and  transitioning  technologies  for 
architectures  and  domain  models  for  software-intensive  systems.  The  PAE  part  of  the 
Engineering  Program  is  focused  on  identifying,  developing,  evaluating,  and  transitioning 
technologies  to  predict  and  control  the  quality  attributes  of  software-intensive  systems. 

The  goal  of  the  Software  Engineering  Techniques  part  of  the  program  is  to  improve  effectiveness 
and  efficiency  in  engineering  and  reengineering  of  large  software-intensive  systems  through 
increased  use  of  engineering  knowledge.  This  will  be  accomplished  through  systematic 
application  of  product  models  supported  by  methods  and  automated  by  tools.  The  approach  is 
referred  to  as  model-based  software  engineering.  This  goal  is  accomplished  through  four  projects 
and  through  leverage  of  work  in  the  PAE  part  of  the  program.  The  Application  of  Software 
Models  Project  addresses  the  systematic  creation  of  domain  models  and  domain-specific 
architectures  (domain  engineering)  and  their  use  in  building  applications  (application 
engineering)  with  an  emphasis  on  reuse  and  product-line  engineering.  The  Software  Engineering 
Information  Modeling  Project  addresses  issues  of  capturing,  representing,  and  making  accessible 
through  computer-based  support  increasing  amounts  of  engineering  information  ranging  from 
requirements  elicitation  and  system  understanding  to  engineering  knowledge  typically  found  in 
handbooks.  The  Computer-Aided  Software  Engineering  Environments  Project  focuses  on 
automation  of  the  software  engineering  processes  and  addresses  issues  of  integration, 
interoperability,  and  adoption  of  environments.  The  Reengineering  Center  Project  focuses  on 
providing  the  practitioner  community  with  a  systematic  approach  to  evolving  legacy  systems.  It 
draws  from  the  insights  and  results  of  other  Software  Engineering  Institute  (SEI)  projects,  both 
within  the  program  and  within  other  programs,  including  the  PAE  and  Risk  Programs,  as  well  as 
from  the  external  community. 

The  objective  of  the  PAE  (or  Real-Time  Distributed  Systems)  part  of  the  program,  is  to  increase 
predictability  and  reduce  technical  risk  in  the  development  of  software-intensive  systems.  The 
approach  is  to  develop  and  demonstrate  methods  and  tools  for  analyzing,  predicting,  and 
ensuring  quality  attributes  of  software-intensive  systems. 

This  part  of  the  program  consists  of  several  projects.  The  Software  Architecture  Attribute 
Engineering  Project  deals  with  architectural  attributes  and  has  a  strong  focus  on  flight 
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simulators.  The  Open  Systems  Engineering  Project  addresses  open  systems  issues  as  well  as 
dependable,  flexible  software  architectures  (Simplex).  The  Engineering  Maturity  Model  (EMM) 
Project  focuses  on  the  instantiation  of  the  EMM  in  the  context  of  performance  engineering.  The 
Transition  Models  Project  focuses  on  models  of  technology  transition  and  their  realization  in 
transition  planning.  The  Ada  9X  Review  Project  is  a  customer-sponsored  effort  to  facilitate  the 
community  review  of  revisions  to  the  Ada  programming  language,  referred  to  as  Ada  9X. 

In  the  past,  the  Real-Time  Distributed  Systems  Program  concentrated  on  point  solutions 
addressing  selected  quality  attributes,  such  as  efficiency  (rate  monotonic  analysis,  Hartstone 
benchmark)  and  maintainability  (Serpent  user  interface  management  system,  structural  models). 
The  SEI  is  now  addressing  applications  in  which  additional  quality  attributes  such  as  reliability 
and  portability  are  important.  Future  activities  will  also  address  metrics  and  tradeoffs  between 
multiple-quality  attributes. 


■  Application  of  Software  Models 

For  systematic  software  reuse  or  reengineer¬ 
ing,  organizations  must  invest  in  software 
assets  such  as  domain-specific  architectures 
and  models.  As  these  assets  evolve,  the  pro¬ 
cess  for  developing,  maintaining,  or 
reengineering  software  applications  will 
allow  mapping  needs  to  existing  software 
solutions  rather  than  require  a  synthesis 
activity  of  building  from  scratch.  This  devel¬ 
opment  process  will  center  on  developing 
applications  within  a  product  family  from  a 
generic  design  founded  on  software  and 
hardware  architectures. 

This  approach  to  software  development  is  a 
component  of  the  model-based  software 
engineering  (MBSE)  approach  being  pro¬ 
moted  by  the  Software  Engineering  Institute 
(SEI)  Engineering  Program.  The  MBSE 
approach  establishes  a  framework  for  relat¬ 
ing  several  types  of  models: 


•  Abstract  models  give  us  basic  modeling 
concepts.  These  address  questions  such 
as:  What  is  a  domain  model,  what  is  an 
architecture,  and  what  are  the  structures 
for  reusable  components? 

•  Concrete  models  apply  the  abstract  mod¬ 
els  by  adding  domain  information.  They 
include  the  domain  model  of  a  particular 
class  of  applications,  a  generic  design,  a 
collection  of  components,  and  an  applica¬ 
tion  generator.  For  a  specific  domain,  the 
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concrete  models  constitute  a  domain-spe¬ 
cific  software  architecture,  as  has  been 
defined  by  the  Domain-Specific  Software 
Architecture  (DSSA)  Program. 

•  Instances  are  the  applications  built  upon 
the  concrete  models. 

The  creation  of  abstract  models  is  chiefly  a 
research  and  development  activity.  The  SEI 
has  produced  abstract  models  such  as  those 
that  form  the  Feature-Oriented  Domain 
Analysis  (FODA)  method,  the  Object  Con¬ 
nection  Update  model,  and  the  Object 
Connection  Architecture  model.  The  project 
also  uses  abstract  models  created  by  other 
organizations.  MBSE  includes  a  process  for 
creating  concrete  models:  domain  engineer¬ 
ing,  and  a  process  for  using  concrete  models 
in  the  construction  of  applications:  applica¬ 
tion  engineering. 

The  project  is  now  working  to  transition  the 
domain  engineering  approach  piloted  and 
documented  over  the  last  several  years. 

Project  members  have  created  an  interactive 
document  available  through  the  SEI  Mosaic 
page  (www.sei.cmu.edu).  This  document 
describes  the  principles  of  domain  and  appli¬ 
cation  engineering  and  illustrates  their  use 
within  the  Army  movement  control  domain. 
In  addition,  it  contains  an  animated  demon¬ 
stration  of  an  application  built  using  the 
domain  engineering  approach. 

Project  members  are  completing  a  new  ver¬ 
sion  of  the  domain  engineering  training 
course.  This  course  will  cover  the  fundamen¬ 
tals  of  domain  analysis  through  a  FODA 
tutorial.  The  course  will  also  provide  a  com¬ 
prehensive  exercise  to  reinforce  the 


understanding  of  the  methods.  Customers 
wanting  to  initiate  a  domain  analysis  pilot 
project  will  have  a  facilitated  workshop  that 
builds  a  "quick  start"  domain  model. 

Over  the  past  five  years,  the  project  has  pro¬ 
duced  a  series  of  reports  on  the  domain 
analysis  method.  Project  members  are  now 
developing  a  FODA  guidebook  to  provide 
step-by-step  procedures  for  developing  each 
of  the  models. 

Project  members  continue  to  support  several 
technical  objectives  and  plans  (TO&P)  cus¬ 
tomers  and  to  work  with  resident  affiliates. 
These  efforts  include  domain  analysis  and 
domain  engineering  support.  The  project  has 
also  begun  a  new  effort  with  the  Electronic 
Systems  Center  (ESC).  Under  that  TO&P  the 
project  will: 

*  Lead  an  effort  to  define  product  lines 
developed  at  ESC. 

*  Support  the  Central  Archive  for  Reusable 
Defense  Software  (CARDS)  in  its  domain 
analysis  activities  with  Scott  Air  Force 
Base. 

*  Support  the  CARDS  Organizational  Anal¬ 
ysis  for  Reuse  work. 


I  Software  Engineering  Information 
Modeling 

The  Software  Engineering  Information  Mod¬ 
eling  Project  is  investigating  the  creation, 
maintenance,  and  use  of  models  that  are  crit¬ 
ical  to  software  engineering.  The  project  is 
conducting  research  into  the  techniques  and 
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tools  that  will  improve  a  software  engineer's 
ability  to  capture,  represent,  and  access  reus¬ 
able  software  engineering  information, 
knowledge,  and  models.  Work  continues  to 
develop  pilot  technology  that  facilitates 
access  to  software  engineering  information. 

Project  members  continued  to  work  with  Car¬ 
negie  Mellon  University  (CMU)  Robotics 
Institute  researchers  applying  CMU  work  in 
speech  recognition,  natural  language  under¬ 
standing,  and  image  understanding 
technologies  to  aid  in  searching,  browsing, 
and  retrieving  software  engineering  informa¬ 
tion  from  large  multimedia  databases. 

The  prototype,  Informedia,  integrates  sub¬ 
systems  of  Scout,  a  CMU  natural  language 
understanding  system,  and  communicates 
with  Sphinx  II,  a  CMU  speech  recognition 
system.  This  quarter,  the  expansion  of  the 
data  accessible  from  Informedia  continued. 
In  particular,  a  large  requirements  engineer¬ 
ing  information  set  was  also  added.  A 
hypertext  markup  language  parser  was 
added  to  permit  the  presentation  of  Software 
Engineering  Institute  (SEI)  Mosaic  pages  in 
addition  to  the  more  complex  video  informa¬ 
tion  in  Informedia. 

This  quarter,  the  project  demonstrated  Infor¬ 
media  at  the  SEI  Software  Engineering  Sym¬ 
posium  in  August. 


■  CASE  Environments 

The  Computer-Aided  Software  Engineering 
(CASE)  Environments  Project  is  addressing 
the  needs  of  many  software  engineering 


projects  by  helping  them  to  make  more  effec¬ 
tive  use  of  CASE  tools  and  environments.  The 
main  concerns  of  the  project  are  to: 

1.  Engineer  CASE  environments  from  their 
constituent  parts. 

2.  Evaluate  different  CASE  environment 
products,  strategies,  and  technology 
trends  to  provide  predictable,  measurable 
improvement  in  software  development 
organization. 

3.  Adopt  CASE  environments  into  an 
organization  in  a  cost-effective  manner. 

To  address  the  first  concern,  project  members 
continued  work  on  carrying  out  leveraged 
experiments  with  representative  samples  of 
CASE  environment  technologies  and  strate¬ 
gies.  For  example: 

•  Two  different  implementations  of  the 
Common  Object  Request  Broker  Architec¬ 
ture  have  been  installed,  and  experiments 
have  begun  to  understand  its  usefulness 
as  a  CASE  tool  integration  mechanism. 

•  During  a  five-week  visit  to  the  Software 
Engineering  Institute  (SEI)  by  Dr.  Fred 
Long  of  the  University  of  Wales, 
Aberystwyth,  UK,  project  members 
expanded  project  experiments  through 
the  use  of  the  Tool  Connection  Language. 
This  is  being  examined  as  a  possible  light¬ 
weight  approach  to  CASE  tool  integration 
that  can  be  readily  installed,  introduced, 
and  evolved. 

The  second  concern  is  being  addressed 
through  various  practical  and  conceptual 
means.  This  quarter,  project  members  partic¬ 
ipated  in  conferences  and  workshops, 
including  an  Advanced  Research  Projects 
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Agency  Environments  workshop  in  St.  Louis, 
and  various  Integrated  Software  Engineering 
Environment  workshops  organized  by  the 
National  Institute  of  Standards  and  Technol¬ 
ogy  (NIST).  In  addition,  the  project  presented 
a  half-day  tutorial  and  several  papers  at  the 
SEI  Software  Engineering  Symposium  in 
Pittsburgh  in  August. 

The  third  concern  is  being  addressed  through 
the  transition  of  earlier  project  work  on 
developing  a  guide  to  CASE  adoption 
through  an  Institute  of  Electrical  and  Elec¬ 
tronic  Engineers  (IEEE)  recommended 
practice  in  this  area.  Progress  in  this  stan¬ 
dards  activity  is  continuing,  with  the  latest 
IEEE  draft  being  put  forward  for  balloting.  In 
addition,  several  project  members  have  been 
actively  involved  in  working  with  NIST  to 
develop  technology  transition  and  technical 
interchange  opportunities. 

In  the  area  of  open  systems,  one  project  mem¬ 
ber,  in  conjunction  with  others  in  the  SEI, 
carried  out  further  deliveries  of  the  open  sys¬ 
tems  course.  This  course  is  being 
substantially  revised  based  on  the  feedback 
from  these  presentations. 

During  this  quarter,  project  members  spent 
time  participating  in  previously  unscheduled 
activities,  including: 

•  Participation  in  a  software  audit  for  the 
Federal  Aviation  Administration. 

•  Involvement  in  developing  liaisons  and 
draft  work  statements  for  potential  future 
technical  objectives  and  plans  customers. 


■  Reengineering  Center 

The  goal  of  the  Reengineering  Center  Project 
is  to  capture  and  improve  best  practice  in 
reengineering  legacy  systems.  The  approach 
is  to  view  reengineering  of  legacy  systems  as 
a  software  engineering  problem.  As  such,  the 
project  draws  from  expertise,  insights,  and 
the  results  of  existing  work  at  the  Software 
Engineering  Institute  and  within  the  software 
community. 

This  quarter,  the  project  issued  draft  proceed¬ 
ings  to  attendees  at  the  May  workshop,  and 
received  concurrence  on  these  proceedings. 
In  addition  the  draft  for  the  "Guide  to  Best 
Practice"  was  revised,  and  assignments  were 
made  for  writing  several  of  its  sections.  The 
guide  will  address  of  the  following  issues: 

•  Planning  reengineering  projects 

•  Reengineering  process  models 

•  Legacy  system  understanding 

•  Organizational  readiness  for  reengineering 

•  Reengineering  technologies 

•  Reusing  available  software  assets 

•  Acquisition  policy  considerations 

•  Business  process  reengineering 

•  Case  studies  and  lessons  learned 

•  Information  resources 


M  Software  Architecture  Technology 
Initiative 

The  purpose  of  the  Software  Architecture 
Technology  Initiative  is  to  provide  a  focused 
effort  in  evaluation  of  architectural  represen- 
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tation  languages  and  analysis  tools  as  well  as 
in  methods  for  evaluating  software 
architectures. 

This  quarter,  project  members  produced  two 
technical  papers  that  will  appear  in  Bridge , 
the  Software  Engineering  Institute  (SEI) 
newsletter,  and  the  Institute  of  Electrical  and 
Electronic  Engineers  publication.  Crosstalk . 
Each  paper  provides  a  general  overview  of 
the  field  of  software  architecture,  emphasiz¬ 
ing  its  role  in  system  development.  Each 
paper  targets  high-level  technical  managers 
who  are  interested  in  pursuing  architecture 
technology. 

Project  members  participated  in  a  panel  at  the 
SEI  Software  Engineering  Symposium  enti¬ 
tled  "The  Complimentary  Nature  of 
Programs  with  Architecture/Reuse  Focus." 
The  presentation  illustrated  the  various  ways 
in  which  SEI  technology  projects  revolve 
around  the  theme  of  architecture  in  a  non¬ 
competing  fashion. 

Project  members  also  prepared  a  briefing 
entitled  "What  Are  Software  Architectures, 
and  Why  Do  I  Care?"  for  presentation  at  the 
National  Oceanic  and  Atmospheric  Adminis¬ 
tration  Software  Engineering  Symposium  in 
September. 

Candidate  applications  for  the  best  practices 
case  study  were  identified  this  quarter.  The 
leading  contenders  represent  a  broad  spec¬ 
trum  of  application  areas  and  technology 
levels,  as  well  as  a  cross-section  of  quality 
attributes  that  drove  each  architecture  choice. 
The  leading  contenders  for  case  studies  are: 

•  Real-time  machine  controllers  (National 
Institute  of  Standards  and  Technology). 


•  Ultra-high  availability  air  traffic  control 
systems  (Federal  Aviation  Administra¬ 
tion). 

•  Structural  modeling,  emphasizing  high 
maintainability  and  evolution. 

•  Architectures  for  telecommunications 
(Motorola  and/or  others). 

•  Architecture-based  application  genera¬ 
tors  such  as  GenVoca  (University  of 
Texas). 

•  Architecture-based  development  of  product¬ 
line  families,  such  as  shipboard  fire-control 
systems  (CelsiusTech). 

A  standard  outline  for  the  case  studies  to 
facilitate  comparison  among  applications  has 
been  drafted  and  is  being  circulated  for 
review. 

Project  members  continued  work  on  the  Soft¬ 
ware  Architecture  Analysis  Method,  a 
method  in  which  architectures  are  analyzed 
for  their  support  of  specific  quality  attributes. 
Analysis  of  Internet-style  communication 
networks  is  underway;  systems  such  as 
Mosaic  and  WAIS  are  being  examined  for 
quality  attributes  that  exist  in  a  domain-stan¬ 
dard  conceptual  model. 

Project  members  continued  refining  the  draft 
of  a  taxonomy  for  software  architecture  rep¬ 
resentation  languages  (textual  or  graphical 
languages  for  representing  architectures). 
Languages  vary  in  their  ability  to  support 
analysis,  expressiveness,  tool  and  environ¬ 
mental  support,  applicability,  and  the 
development  process  they  assume  or  facili- 
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tate.  Future  work  calls  for  refinement  of  the 
taxonomy,  applying  it  to  a  select  handful  of 
important  languages  such  as  Shaw's  UniCon 
or  TRW's  UNAS,  and  for  publishing  the 
results  in  a  major  journal  or  conference 
proceedings. 

Work  continued  this  quarter  on  an  annotated 
bibliography  of  important  documented 
works  concerning  software  architecture.  This 
bibliography  will  be  made  available  over 
widely  used  computer  networks  so  that 
beginning  practitioners  may  take  advantage 
of  a  completed  literature  search  to  reduce 
learning  time  in  the  field.  An  initial  corpus 
has  been  collected  and  entered  in  machine- 
readable  form,  and  a  standard  organization 
for  the  bibliography  has  been  adopted.  In 
addition,  work  continued  on  the  process  of 
refining  a  previously  produced  draft  pro¬ 
spectus  on  software  architecture.  This  pro¬ 
spectus  will  help  prospective  customers 
understand  SEI  work  in  the  area  and  how 
that  work  relates  to  other  research  and  devel¬ 
opment  efforts  in  the  field. 


I  Software  Architecture  Attribute 
Engineering 

Traditionally,  designers  achieve  non-func¬ 
tional  qualities  of  the  systems  they  design 
through  ad  hoc  techniques.  There  is  no  sys¬ 
tematic  method  for  analyzing  a  design  at  an 
early  stage  to  determine  the  quality  of  the 
resulting  system.  The  goal  of  the  Software 
Architecture  Attribute  Engineering  Project  is 
to  develop  quantitative  methods  for  analyz¬ 
ing  and  predicting  important  qualities  from 
software  architectural  descriptions.  The 
project  is  initially  focussing  on  systems  engi¬ 
neering  related  to  architecture,  specifically 


the  extent  to  which  an  architecture  provides 
an  early  synthesis  of  large,  complex  systems. 
The  synthesis,  in  the  form  of  a  structural 
model,  is  used  to  organize  information  about 
the  system  under  development  and  provides 
the  basis  for  using  information  about  the 
evolving  system  to  predict  qualities  of  the 
completed  system. 

This  quarter,  project  members  continued 
work  on  an  architecture  testbed  to  explore 
simulator  design  issues  and  to  test  and  vali¬ 
date  models  of  system  synthesis.  The  project 
obtained  key  support  from  the  simulator 
community  and  began  work  on  enhancing 
and  extending  the  structural  models  for  the 
testbed.  As  now  scoped,  the  testbed  will 
encompass  complete  functionality  for  a 
broad  range  of  simulators. 

Also  this  quarter,  the  project  completed  the 
industry  review  of  its  structural  modeling 
guidebook  to  be  turned  over  by  the  Air 
Force's  Aeronautical  Systems  Command  Pro¬ 
gram  Office  for  Simulators  and  Training 
Devices  for  release  during  the  next  quarter.  In 
the  area  of  transition,  the  project  also  began 
work  on  the  first  of  a  series  of  training 
courses,  a  course  for  managers  on  the  role  of 
architectures  in  systems  engineering. 

I  Open  Systems  Engineering 

The  Open  Systems  Engineering  Project 
includes  three  major  efforts: 

1.  Standards  activities  that  aim  at  securing  a 
set  of  open  standards  for  mission-critical 
systems  with  real-time  and  dependability 
requirements. 
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2.  A  software  architecture  based  on  open 
system  components  that  is  designed  to 
enable  mission-critical  systems  to  be  safe¬ 
ly  upgraded  without  having  to  shut  them 
down  and  in  spite  of  design  and  imple¬ 
mentation  errors  in  new  software. 

3.  Education  for  program  managers  about 
the  promises  and  pitfalls  of  using  open 
system  standards,  and  workshops  for 
practitioners  on  state-of-the-art  real-time 
and  fault-tolerant  technology. 

This  quarter,  project  members  supported  the 
Institute  of  Electrical  and  Electronic  Engi¬ 
neers  (IEEE)  Portable  Operating  System 
Interface  (P1003)  project.  This  work  is  sup¬ 
ported  by  the  Navy  Next  Generation 
Computer  Resources  (NGCR)  Program. 
Project  members  work  with  the  Real-Time 
Distributed  Systems  Communications  Work¬ 
ing  Group  (P1003.21),  which  is  developing 
standards  for  the  real-time  domain.  Project 
members  serve  as  chair  and  technical  editor 
for  this  group.  As  part  of  this  effort,  a  require¬ 
ments  document  has  been  developed  that  the 
IEEE  will  be  disseminating  as  part  of  its  effort 
to  publicize  emerging  technology  practices. 
The  pace  of  this  work  has  been  slowed  by  the 
chair's  participation  in  the  Federal  Aviation 
Administration  effort. 

Project  members  have  continued  the  effort  to 
help  NGCR  define  candidate  high-perfor¬ 
mance  network  standards.  In  addition  to 
participating  in  the  meetings,  project  mem¬ 
bers  developed  the  draft  real-time  extensions 
to  the  existing  asynchronous  transfer  mode 
standard  and  analyzed  the  properties  and 
schedulability  of  the  proposed  extension.  A 
report  was  prepared  and  sent  to  NGCR. 


The  current  version  of  the  uniprocessor  dem¬ 
onstration  has  generated  interest  in  many 
forums.  The  project  has  now  received  invita¬ 
tions  from  a  majority  of  national  conferences 
dealing  with  real-time  and  dependability 
issues.  Project  members  have  continued  to 
demonstrate  the  existing  prototype  to  many 
important  visitors  to  the  Software  Engineer¬ 
ing  Institute  (SEI),  including  a  demonstration 
to  the  Deputy  Undersecretary  of  Advanced 
Technologies. 

The  design  of  the  project's  application  soft¬ 
ware  architecture  for  the  distributed  version 
of  the  demonstration  of  fault-tolerant  real¬ 
time  systems  was  completed.  This  architec¬ 
ture  was  successfully  demonstrated  during 
the  1994  SEI  Software  Engineering  Sympo¬ 
sium.  It  integrates  generalized  rate  monotonic 
scheduling,  analytic  redundancy,  and  mem¬ 
bership  protocol  to  support  structured  system 
evolution.  The  SEI  demonstration  showed: 

•  The  online  addition  of  new  applications 
to  an  existing  system  for  automatic  con¬ 
trol. 

•  The  online  improvement  of  an  existing 
software  component. 

•  The  online  replacement  of  hardware  in  a 
functioning  system. 

•  The  ability  to  tolerate  not  only  hardware 
faults  but  also  errors  in  the  design,  imple¬ 
mentation,  or  modification  of  complex 
software  applications. 

The  project  has  been  cooperating  with 
MITRE  on  the  application  of  the  simplex 
architecture  to  tracking  applications.  A 
MITRE-led  demonstration  at  the  SEI  Sympo¬ 
sium  showed: 
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•  Integration  of  multiple  tracking  algo¬ 
rithms  that  enhance  tracking  system  per¬ 
formance,  fault  tolerance,  robustness,  and 
accuracy  under  hard  real-time  con¬ 
straints. 

•  Online  real-time  improvement  and  main¬ 
tenance  for  an  evolvable  and  open  sur¬ 
veillance  system. 

•  The  ability  to  reliably  integrate  new  tech¬ 
nology  into  older  systems  through  the 
application  of  fault  tolerance  and  real¬ 
time  techniques. 

In  collaboration  with  the  SEI  Computer- 
Aided  Software  Engineering  Environments 
Project,  the  Open  Systems  Engineering 
Project  is  continuing  to  develop  a  prototype 
course  on  open  systems,  intended  for  pro¬ 
gram  management  office  personnel.  The 
course  has  been  delivered  twice  to  the  spon¬ 
sor  and  project  members  continue  to  examine 
the  large-scale  transition  aspects  of  the 
course.  As  part  of  the  course  transition,  the 
project  has  developed  a  reference  model  for 
the  interaction  between  the  SEI  and  the  exter¬ 
nal  community.  An  overview  was  given 
during  the  SEI  Software  Engineering 
Symposium. 

Other  activities  of  projects  members  in  the 
third  quarter  included: 

•  Helping  the  National  Institute  for  Stan¬ 
dards  and  Technology  (NIST)  establish  a 
center  for  dependability  (Center  for  High 
Integrity  Software  &  System  Assurance). 

•  Helping  Sandia  Labs  with  software  reli¬ 
ability  efforts. 


•  Working  with  NIST  in  its  Focused 
Advanced  Technology  Workshop  on 
Dependable  and  Renewable  Systems.  The 
simplex  architecture  was  demonstrated  at 
the  workshop. 

•  Chairing  the  heterogeneous  communica¬ 
tions  focus  group  for  the  IEEE  P1003.21 
effort. 


■  Engineering  Maturity  Model 

This  effort  focuses  on  the  development  of  an 
engineering  maturity  model  (EMM)  to  com¬ 
plement  the  capability  maturity  model 
(CMM).  While  the  purpose  of  the  CMM  is  to 
stimulate  the  evolution  of  organizations  to  a 
continuously  improving,  controlled  state,  the 
purpose  of  the  EMM  is  to  stimulate  the  evo¬ 
lution  of  product  engineering  practices  used 
to  predict  and  control  properties  of  software 
artifacts.  The  CMM  is  typically  used  to  eval¬ 
uate  the  maturity  of  organizations;  the  EMM 
will  be  used  to  determine  how  practices  can 
best  be  improved  to  gain  better  predictability 
and  control  over  properties  of  software 
systems. 

EMM  project  members  are  currently  investi¬ 
gating  the  utility  of  the  EMM  concept  for  a 
specific  property  of  software,  namely  soft¬ 
ware  performance.  The  initial  approach  is  to 
collect  information  on  current  practices  and 
problems  by  interviewing  engineers  in  aero¬ 
space  companies  associated  with  the  Soft¬ 
ware  Engineering  Institute.  Seven  interviews 
(with  four  organizations)  have  been  con¬ 
ducted  so  far.  The  information  collected  in 
these  interviews  is  being  organized  into  a 
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framework  describing  performance  engi¬ 
neering  problems  and  practices.  Throughout 
the  next  quarter,  project  members  will  be  doc¬ 
umenting  this  information  and  applying 
EMM  concepts  to  test  the  viability  of  the  con¬ 
cepts. 


H  Transition  Models 

The  Transition  Models  (TM)  Project  inte¬ 
grates  technology  transition  research  and 
best  practices  into  frameworks  and  develops 
planning  tools  and  assessment  instruments 
for: 

•  Change  agents  who  help  organizations 
adopt  new  software  engineering  technol¬ 
ogy- 

•  Researchers  and  new  product  developers. 

TM  products  are  based  on  research  and  expe¬ 
rience  (including  tacit  know-how)  in 
technology  transition,  integrated  and  synthe¬ 
sized  for  use  by  the  software  engineering 
community.  The  project's  strategies  include 
information  dissemination  and  outreach 
(workshops,  colloquia,  and  courses),  partner¬ 
ships  (co-development  and  co-evolution  of 
materials),  and  the  development  of  pull  capa- 
bility  (working  with  technology  receptors, 
especially  software  engineering  process 
groups).  The  ultimate  goal  is  concurrent  soft¬ 
ware  technology  transition:  near- 

simultaneous  technology  creation,  adoption, 
and  application. 

This  quarter,  project  members  worked  with 
the  Program  Development  Division  (PDD)  to 


define  joint  work  in  technology  transition. 
TM  continued  to  work  with  PDD  and  a  rep¬ 
resentative  of  Westinghouse  to  define  a 
cooperative  effort  in  technology  transition, 
targeted  at  Department  of  Energy  laborato¬ 
ries.  In  addition,  a  number  of  technical 
collaboration  agreements  (TCAs)  have  been 
negotiated  with  industry  partners.  Three  col¬ 
laborative  activities  are  under  way  with 
Xerox,  Hewlett-Packard  (HP),  and  CaseWare, 
Inc;  these  activities  are  identified  below. 

At  CaseWare,  work  has  been  initiated  on  a  set 
of  workshops:  a  generic  introductory  tutorial 
on  technology  adoption  and  implementation 
(principal,  TM)  and  a  specific  workshop  on 
adoption  of  a  software  configuration  man¬ 
agement  tool  (principal,  CaseWare).  An 
informal  market  survey  by  CaseWare  staff 
reveals  significant  interest  in  the  workshops. 

In  the  third  quarter,  project  members  and  a 
representative  of  HP  Corporate  Quality 
began  to  beta  test  the  HP  technique  and  tem¬ 
plate  for  the  planning  of  product  offerings. 
This  technique  is  derived  from  "whole  prod¬ 
uct"  planning.  The  potential  product  that  TM 
is  evaluating  is  the  technology  transfer 
project  management  tool,  now  existing  in 
prototype  form,  (the  result  of  an  earlier  and 
continuing  TCA  with  the  Facultad  Informat- 
ica  of  the  Universidad  Politecnica  de 
Madrid).  The  technical  collaboration  with  HP 
is  nearing  completion,  and  a  special  report  on 
the  findings  from  the  planning  effort  is  being 
prepared. 

Two  new  efforts  began  this  quarter.  First,  a  set 
of  fact  sheets  on  software  technology  transi¬ 
tion  were  developed  and  produced.  These 
fact  sheets  are  aimed  at  change  agents  and 
include  information  on  models,  checklists. 
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readings,  and  definitions  used  in  transition 
efforts.  The  fact  sheets  were  made  available 
simultaneously  in  print  and  through  Mosaic 
on  the  world-wide  web,  and  were  demon¬ 
strated  at  the  SEI  Software  Engineering 
Symposium.  Second,  TM  project  members 
began  an  internal  collaboration  with  develop¬ 
ers  of  the  Software  Engineering  Improvement 
Method  on  the  development  of  "transition 
packages"  for  technologies  associated  with 
key  practice  areas  in  the  capability  maturity 
model. 

In  September,  project  members  presented  a 
paper,  "Compensating  for  Immaturity:  The 
Adoption  of  a  New  Software  Technology,"  in 
the  hardware  and  software  technology  track 
at  the  13th  International  Federation  of  Infor¬ 
mation  Processing  (IFIP)  World  Congress  in 
Hamburg,  Germany.  This  paper  is  based  on  a 
case  study  of  rate  monotonic  analysis  (RMA), 
and  the  adoption  of  RMA  by  a  large  multina¬ 
tional  organization.  In  conjunction  with  the 
congress,  the  IFIP  Working  Group  on  Diffu¬ 
sion,  Transfer,  and  Implementation  of 
Information  Technology,  WG8.6,  hosted  a 
half-day  workshop.  The  TM  project  leader 
chairs  WG  8.6.  The  program  for  this  work¬ 
shop  included  a  presentation  of  the  scope  and 
aims  for  WG  8.6,  a  panel  discussion  on  "Infor¬ 
mation  and  Software  Technology  Transfer: 
Crossing  Cultural  Boundaries,"  and  a  work¬ 
ing  session  on  experiences  with  planning  the 
introduction  of  software  and  information 
technology. 

In  conjunction  with  the  September  trip  to  the 
IFIP  congress,  project  members  participated 
in  technical  exchange  meetings: 


•  At  the  Polytechnic  University  of  Madrid, 
project  members  evaluated  the  feasibility 
prototype  for  the  technology  transfer 
project  management  tool,  determined 
protocols  for  testing,  and  negotiated  a 
work  assignment  for  a  resident  affiliate 
who  will  begin  working  with  the  project 
in  January  1995. 

•  At  the  National  Computing  Center  (NCC) 
in  Manchester,  project  members  sought  to 
better  understand  the  30-year  history  of 
the  NCC  as  a  research  and  development 
institute  and  explored  areas  of  technical 
collaboration. 

•  At  the  industry  directorate  at  the  Com¬ 
mission  of  the  European  Communities  in 
Brussels,  project  members  discussed 
issues  of  cooperation  and  software  tech¬ 
nology  transition. 


■  Ada  9X  Review 

The  Software  Engineering  Institute  (SEI)  is 
supporting  the  revision  of  the  Ada  program¬ 
ming  language  in  a  variety  of  ways.  One 
member  of  the  technical  staff  is  a  participant 
in  the  Ada  9X  Distinguished  Reviewers 
Group,  which  is  responsible  for  reviewing  the 
ongoing  revision  work.  This  group  meets 
periodically  to  review  the  progress  of  the 
revision.  Another  staff  member  chairs  the 
Ada  Compiler  Validation  Capability  (ACVC) 
Review  Team,  which  is  responsible  for 
reviewing  the  direction  and  content  of  the 
test  suite  that  will  be  used  to  validate  Ada  9X 
compilers.  The  SEI  also  supports  outside 
experts  who  participate  in  the  Ada  9X  effort 
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as  distinguished  reviewers  and  as  Ada  Com¬ 
piler  Validation  Capability  Review  Team 
members.  Finally,  the  SEI  provides  electronic 
mailing  facilities  to  the  Ada  9X  project  and  to 
the  Ada  Joint  Program  Office,  facilitating 
communication  among  the  various  groups 
interested  in  the  Ada  standard  and  its 
revision. 

This  quarter,  the  A CVC  Review  Team  met.  In 
addition,  draft  validation  tests  continued  to 
be  reviewed  by  team  members. 


[95 1&5]  SEI  Program  Plans:  1995-1999 
(CMU/SEI-94-SR-19).  Pittsburgh,  PA:  Soft¬ 
ware  Engineering  Institute,  Carnegie  Mellon, 
July  1994. 
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CMU  /  SEI-94-TR-1 0 

This  document  is  available  via  anonymous  FTP  and  through  the  SEI  Mosaic 
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page  (www.sei.cmu.edu).  See  page  35  for  additional  information. 


20  Engineering 


■  Software  Engineering  Institute  ■ 


Software  Risk  Management 

The  objective  of  the  Software  Risk  Management  Program  is  to  improve  the  management  of  risks 
that  arise  in  the  acquisition  and  development  of  software-intensive  systems.  The  projects  are  focus 
ing  on  processes  and  methods  that  enable  the  acquisition  and  development  community  (managers 
and  engineers)  to  make  better  decisions  by: 

•  Identifying  risks  before  they  become  problems. 

•  Communicating  risks  in  a  positive,  non-threatening  way. 

•  Resolving  technical  risk  cost-effectively. 


■  Team  Risk  Management 

The  goal  of  the  Team  Risk  Management 
Project  is  to  establish  a  cooperative  working 
environment  throughout  all  levels  of  a  pro¬ 
gram,  thus  giving  everyone  in  the  program 
the  ability  and  motivation  to  notice  and  han¬ 
dle  risks  before  they  become  problems.  The 
project  works  toward  its  goal  by  developing 
a  framework  for  acquisition  and  develop¬ 
ment  that  fosters  cooperation  and 
partnership  through  team  processes,  explicit 
methods  to  structure  and  sustain  the  pro¬ 
cesses,  and  supporting  tools  to  aid 
practitioners  and  managers. 


management  methods  to  support  these  pro¬ 
cesses,  and  improving  communications 
about  risk  within  and  between  government 
and  industry  program  offices.  The  primary 
emphasis  is  on  enhancing  the  capability  of 
the  customer  and  supplier  to  manage  risks  as 
a  team  in  software  development. 


The  project  continues  its  strategic  partnership 
with  the  Navy  Program  Executive  Office  for 
Anti-Submarine  Warfare,  Air  Assault  and 
Special  Missions  Programs.  Currently  two 
Program  Executive  Officer  PEO(A)  programs 
are  actively  installing  team  risk  management 


into  their  programs. 


The  scope  of  this  project  is  to  develop  and 
transition  into  practice  a  comprehensive  set 
of  software  risk  management  products  for 
effective  support  in  managing  the  acquisition 
and  development  of  large,  software-intensive 
systems.  The  team  risk  management  product 
set  will  focus  on  issues  of  modeling  acquisi¬ 
tion  processes,  developing  team  risk 


This  quarter,  project  members  completed  a 
quarterly  team  review  of  the  Computer  Pro- 
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cessor  Memory  Upgrade  Project  with  the 
government  and  contractor.  The  project  also 
completed  a  software  risk  evaluation  to  pre¬ 
pare  the  way  for  Team  Risk  Management  on 
the  Airborne  Command  Post  Project  with  the 
government  program  office,  the  prime  con¬ 
tractor,  and  its  major  software  subcontractor. 

The  project  team  conducted  two  team  risk 
management  training  sessions  and  delivered 
a  draft  guidebook  documenting  the  concept 
and  procedures  for  applying  team  risk 
management. 

Project  members  presented  the  Team  Risk 
Management  "lessons  learned"  at  the  Soft¬ 
ware  Engineering  Institute  Software 
Engineering  Symposium  in  August. 

Project  members  have  begun  work  on  knowl¬ 
edge  integration  and  how  one  puts  knowl¬ 
edge  into  the  process  of  risk  management. 
Project  members  are  using  the  work  already 
accomplished  in  computer-supported  coop¬ 
erative  work  and  combining  this  with  their 
work  in  natural  language  processing.  The 
framework  of  team  risk  management  pro¬ 
vides  a  robust  environment  to  apply  technol¬ 
ogies  of  cooperative  work  to  assist  the 
decision  makers,  particularly  in  managing 
risk. 


I  Technology  Assessment 

The  Technology  Assessment  Project  is 
focused  on  improving  the  state  of  the  practice 
of  producing  software-dependent  systems  in 
the  Department  of  Defense  (DoD)  industrial 
community  and  the  commercial  community 


through  the  identification  of  development 
risks  and  improvement  of  the  technical  capa¬ 
bility  to  mitigate  the  risks.  The  project 
strategy  is  to  work  in  a  collaborative  manner 
with  key  DoD  and  industrial  organizations  to 
develop,  test,  and  transition  risk  identifica¬ 
tion  and  technical  capability  assessment 
methods  for  the  development  of  software- 
dependent  systems. 

The  first  goal  of  the  Technology  Assessment 
Project  is  to  make  the  Taxonomy-Based  Risk 
Identification  process  as  practical  and  efficient 
as  possible.  To  this  end,  a  tailorable  Taxon¬ 
omy-Based  Questionnaire  (TBQ)  is  being 
produced.  This  product  will  take  into  account 
the  characteristics  of  projects  being  assessed, 
including  the  domain,  life-cycle  phase,  and 
type  of  project.  The  second  goal  of  the  project 
is  to  develop  and  populate  a  risk  information 
repository.  The  risk  information  repository 
will  be  populated  initially  with  data  collected 
from  field  tests  and  risk  assessments  con¬ 
ducted  by  the  Software  Engineering  Institute 
(SEI)  and  strategic  partners.  The  information 
in  the  repository  will  include  common  risks, 
risk  mitigating  actions,  results,  and  lessons 
learned.  Once  obtained,  structured,  and  ana¬ 
lyzed,  the  data  will  also  yield  information  on 
the  relationships  among  risks,  risk  causes  and 
attributes,  and  relative  values  of  risks  that 
will,  in  turn,  be  used  to  support  the  determi¬ 
nation  of  risk  ordering  and  prioritizing.  The 
risk  repository  will  provide  reliable  informa¬ 
tion  on  what  risks  programs  have  faced  for 
particular  situations  and  how  they  dealt  with 
those  risks.  The  repository  will  provide  a  two- 
way  avenue  of  information  to  clients  and  will 
become  more  robust  over  time  as  new  infor¬ 
mation  is  received  and  validated.  The  risk 
repository  is  under  development  and  planned 
for  a  1996  release  for  DoD  community  usage. 
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Work  this  quarter  continued  on  the  develop¬ 
ment  of  data  gathering  methods  to  extend  the 
TBQ  into  domain-specific  areas.  Work  is  also 
being  done  with  the  Engineering  Maturity 
Model  and  the  Computer  Emergency 
Response  Team  Projects,  which  has  resulted 
in  interview  questionnaires  to  gather  data  on 
system  performance  and  system  security 
risks  to  be  used  to  extend  the  TBQ  to  in-depth 
coverage  of  the  system  performance  and 
security  domains.  Several  applications  of  the 
interview  questionnaires  and  interview  tech¬ 
nique  were  conducted  this  quarter  with  both 
projects. 

A  presentation  was  made  at  the  SEI  Software 
Engineering  Symposium  in  August  on  the 
results  of  field  testing  the  taxonomy-based 
risk  identification  method. 

Finally,  the  repository  operations  concepts 
and  design  document  was  released  this  quar¬ 
ter  for  review  both  internal  and  external  to 
the  SEI. 


■  Enterprise  Risk  Management 

The  Enterprise  Risk  Management  (ERM) 
Project  assists  government  and  acquisition 
activities,  program  management,  software 
development,  and  software  support  manag¬ 
ers  in  executing  risk  management  within 
their  applicable  spheres  of  interest.  This  base 
is  concerned  with  acquiring  quality  software 
to  perform  tasks  and  to  span  all  phases  of  the 
normal  life  cycle  of  software:  concept,  dem¬ 
onstration  and  validation  (or  advanced 
technology  demonstration),  buying,  devel¬ 
opment,  and  software  support.  Therefore,  the 


principal  focus  of  the  ERM  Project  is  aimed  at 
the  overall  software  acquisition  life  cycle. 

Initial  project  work,  performed  under  the 
Independent  Risk  Assessment  Project, 
applied  actual  risk  techniques  that  were 
developed  within  the  Software  Engineering 
Institute  (SEI)  Risk  Management  Program  to 
develop  Version  0.1  of  the  Software  Risk  Eval¬ 
uation  (SRE)  and  the  conceptualization  of  the 
Independent  Risk  Assessment  (IRA)  mecha¬ 
nism.  Both  techniques  are  based  on  the 
software  risk  taxonomy  that  was  developed 
within  the  Risk  Program.  The  fundamental 
difference  between  the  SRE  and  the  IRA  is 
that  the  IRA  is  designed  for  quickly  looking 
into  a  specific  software  project  and  providing 
a  comprehensive  risk  profile  and  associated 
conclusions.  The  SRE,  on  the  other  hand,  goes 
beyond  the  risk  profile  findings  and  assists 
users  in  creating  recommendations  concern¬ 
ing  found  risks,  developing  a  set  of  risk 
mitigation  strategies  for  addressing  the  most 
important  risks  initially,  applying  resources 
in  the  most  effective  manner  possible,  and 
populating  those  strategies  with  specific 
activities  that  would  be  required  to  accom¬ 
plish  them. 

The  project  continues  its  SRE  events  in  both 
government  and  commercial  software  devel¬ 
opment  programs  and  projects.  A  new 
technical  objectives  and  plans  agreement  has 
been  made  with  the  U.S.  Coast  Guard  for  VTS 
2000.  The  Acquisition  Risk  Management  Task 
for  the  U.S.  Army  Materiel  Command  Com¬ 
munication-Electronics  Command  should  be 
finished  in  November  1994. 

At  the  1994  SEI  Software  Engineering  Sympo¬ 
sium  in  August,  project  members  participated 
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in  two  different  panels:  "Risk  Management  in 
the  Source  Selection  Process,"  and  "Transition¬ 
ing  Risk  Management  to  the  "Defense 
Acquisition  Community."  Additionally 
project  members  continued  work  on  the  logis¬ 
tics  for  the  1995  Risk  Conference.  The  date, 
location,  and  theme  are  being  developed. 

This  quarter,  project  members  continued  to 
work  on  the  development  of  the  ERM  techni¬ 
cal  report  for  the  SRE.  The  SRE  Handbook 
was  given  to  Information  Management  for 
processing  and  should  be  available  for  exter¬ 
nal  distribution  next  quarter. 

Project  members  continued  working  on  the 
development  of  a  predictive  decision  model/ 
tool.  Feasibility  work  is  currently  going  on 
concerning  the  applicability  of  Community 
of  Interest  (COI)  software  to  SREs.  As  a  test, 
the  COI  technology  is  being  applied  to  the 
U.S.  Treasury  Pacer  Project  data.  Results  will 
be  presented  in  a  white  paper  during  the  next 
quarter. 


Software  Risk  Management  Reports 

July- September  1994 

A  Construct  for  Describing  Software 
Development  Risks 

CMU  /  SEI-94-TR-14 


Team  Risk  Management:  A  Nezv  Model  for 
Customer-Supplier  Relationships 
CMU  /  SEI-94-SR-5 
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■  Software  Engineering  Institute  ■ 


SEI  Educational  Products 


The  objectives  of  the  Software  Engineering  Institute  Educational  Products  Program  are  to  assure 
that  high-quality  software  engineering  education  is  widely  available  through  traditional 
channels  and  existing  infrastructure,  and  to  raise  the  accepted  educational  standard  for 
practicing  software  engineers.  In  addition  to  development  of  educational  products  within  the 
program,  support  and  quality  assurance  are  provided  to  other  Software  Engineering  Institute 
organizations  developing  educational  products. 


■  Academic  Education 
The  Academic  Education  Project  develops 
software  engineering  curricula  and  supports 
universities  in  the  creation  of  software  engi¬ 
neering  programs. 

This  quarter.  Academic  Education  project 
members  began  deliveiy  of  two  courses  over 
the  National  Technological  University  video 
network.  The  courses  are  entitled  "Managing 
Software  Development,"  and  "Software 
Requirements  Engineering." 

Fifteen  new  students  have  entered  the  joint 
Software  Engineering  Institute-Carnegie 
Mellon  Master  of  Software  Engineering  Pro¬ 
gram. 


■  Professional  Education 
The  Professional  Education  Project  interacts 
with  industry  and  government  to  increase  the 
availability  of  high-quality  educational 
opportunities  for  software  practitioners  and 


executives.  The  project  produces  video-based 
course  materials  designed  for  practitioners' 
in-house  education,  and  executive  offerings 
designed  for  decision  makers  involved  in 
improvement  efforts. 

The  course  "Software:  Profit  Through  Process 
Improvement"  was  taught  for  the  Internal 
Revenue  Service  in  Washington,  D.C.  The 
course  was  also  broadcast  via  National  Tech¬ 
nological  University  in  August  and  was 
taught  at  the  Software  Engineering  Institute 
(SEI)  D.C.  facility  in  September.  The  course 
"Software  Quality  Improvement"  was  broad¬ 
cast  via  National  Technological  University  in 
August. 

A  presentation  entitled  "What  Is  Software 
Quality"  was  given  at  the  National  Oceanic 
and  Atmospheric  Administration  (NOAA) 
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Software  Engineering  Symposium  in  Sep¬ 
tember.  A  program  on  the  SEI  educational 
products  and  future  activities  for  the  D.C. 
Software  Process  Improvement  Network 
Training  Group  was  also  held  in  September. 


SEI  Educational  Products  Reports 

July  -  September  1994 

Rate  Monotonic  Analysis  for  Real-Time  Systems ; 
Instructor's  Guide 

SEI-94-EM-11  (revised  September  1994) 

This  document  is  available  via  anonymous  FTP  and  through  the  SEI  Mosaic 
page  (www.sei.cmu.edu).  See  page  35  for  additional  information. 
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■  Software  Engineering  Institute  ■ 


SEI  Services 

The  Software  Engineering  Institute  (SEI)  Services  works  with  other  groups  in  the  SEI  to  develop, 
deliver,  and  transition  services  that  support  the  efforts  of  SEI  clients  to  improve  their  ability  to 
define,  develop,  maintain,  and  operate  software-intensive  systems.  To  accelerate  the  widespread 
adoption  of  effective  software  practices,  SEI  Services  works  with  client  organizations  that  are 
influential  leaders  in  the  software  community,  promotes  the  development  of  infrastructures  that 
support  the  adoption  of  improved  practices,  and  transitions  capabilities  to  government  and 
commercial  associates  for  use  with  their  client  organizations. 


■  Computer  Emergency  Response  T eam 

The  CERTSM  Coordination  Center  was 
formed  by  the  Advanced  Research  Projects 
Agency  (ARPA)  in  November  1988  in 
response  to  the  needs  exhibited  during  an 
Internet  security  incident.  The  CERT  charter 
is  to  work  with  the  Internet  community  to 
facilitate  its  response  to  computer  security 
problems  involving  Internet  hosts,  to  take 
practical  steps  to  raise  the  community's 
awareness  of  security  issues,  and  to  conduct 
research  targeted  at  improving  the  security  of 
existing  systems. 

The  Sixth  Annual  Computer  Security  Inci¬ 
dent  Handling  Workshop  was  held  in  Boston 
in  July.  The  workshop  was  co-sponsored  by 
tire  Forum  of  Incident  Response  and  Security 
Teams  (FIRST),  the  CERT  Coordination  Cen¬ 
ter,  Digital  Equipment  Corporation,  and  the 
National  Institute  of  Standards  and  Technol¬ 
ogy.  The  focus  of  this  workshop  was  on  tools 
for  incident  handling  in  an  international 
arena.  In  addition  to  participating  on  various 


panels.  Coordination  Center  staff  led  three 
sessions:  Incident  Handling  Teams  Status 
and  Update,  Nontraditional  and  Public 
Domain  Network  Servers,  and  Interoperabil¬ 
ity  in  the  FIRST  Community.  One  member  is 
on  the  FIRST  Steering  Committee,  helping  to 
guide  the  direction  of  that  organization. 

In  July,  CERT  members  participated  in  Feder¬ 
ation  of  American  Research  Networks 
(FARNET)  discussions  relating  to  the  transi¬ 
tion  to  a  new  network  architecture.  Security 
is  a  major  concern,  and  CERT  staff  members 
were  asked  to  help  develop  a  handbook  for 
network  users. 

The  CERT  staff  is  developing  a  networked 
information  technology  security  taxonomy 
and  questionnaire  in  collaboration  with  the 
Software  Engineering  Institute  (SEI)  Risk 
Program.  The  CERT  staff  completed  two  for¬ 
mal  field  tests,  one  with  a  commercial 
corporation  and  the  second  with  a  division  of 
a  government  agency. 
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Three  new  advisories  were  released,  alerting 
the  Internet  community  to  security  problems: 

CA-94:11  Majordomo  Vulnerabilities 

CA-94:12  Sendmail  Vulnerabilities 

CA-94:13  SGI  IRIX  Help  Vulnerability 

The  Coordination  Center  staff  also  published 
two  papers  to  raise  the  awareness  of  the  net¬ 
work  community  about  security  issues. 
"CERT  Incident  Response  and  the  Internet" 
was  published  in  the  August  1994  issue  of 
Communications  of  the  ACM.  "Keeping  Intrud¬ 
ers  Away"  appeared  in  the  September  issue 
of  UNIX  Review.  In  addition,  the  most  recent 
issue  of  Bridge  (#1  1994)  contained  an  article, 
"Secure  Software  Reuse,"  describing  the  joint 
work  of  the  CERT  team  and  the  National 
Security  Agency. 

A  CERT  staff  member  is  chairing  two  work¬ 
ing  groups  for  the  Internet  Engineering  Task 
Force  (IETF):  the  Site  Security  Handbook 
(SSH)  Working  Group,  and  the  Guidelines 
and  Recommendations  for  Incident  Process¬ 
ing  (GRIP)  Working  Group.  The  SSH  group  is 
producing  two  documents,  a  site  security 
handbook  for  system  and  network  adminis¬ 
trators,  and  one  for  users.  The  GRIP  group  is 
producing  guidelines  for  security  incident 
response  teams  and  technology  vendors. 

Two  CERT  members  hosted  the  first  meeting 
of  the  CERT  Technical  Council  at  the  Toronto 
IETF.  This  group  will  provide  technical 
expertise  to  the  CERT  Coordination  Center 
during  their  work  on  particularly  difficult 
problems. 

This  quarter,  other  transition  efforts  of  CERT 
members  included  involvement  in  the  fol¬ 
lowing  conferences  and  meetings: 


•  NS  A  TechFest,  Maritime  Institute  (Balti¬ 
more,  Maryland  in  July).  About  200  peo¬ 
ple  attended,  primarily  government 
employees  and  contractors.  CERT  staff 
members  were  invited  to  attend  to  learn 
about  unclassified  research  that  the 
National  Security  Agency  is  doing  in  the 
area  of  computer  security. 

•  1994  USENIX  LISA  Conference  (San 
Diego,  California  in  September).  CERT 
members  held  a  birds-of-a-feather  session 
on  security  issues. 

•  LAN  Summit  1994  (Sydney,  Australia  in 
September).  A  CERT  member  was  the 
invited  chair  for  a  panel  discussion  of 
security  in  a  local  area  network  environ¬ 
ment. 

•  40th  Annual  ASIS  (American  Society  for 
Industrial  Security)  Conference  (Las 
Vegas,  Nevada.)  A  CERT  staff  member 
was  an  invited  speaker,  presenting  "The 
Internet:  Managing  the  Risks." 

•  Center  for  Strategic  and  International 
Studies  Conference  on  Global  Orga¬ 
nized  Crime  (Washington,  D.C.  in  Sep¬ 
tember).  A  CERT  member  was  the  invited 
chair  for  a  panel  discussing  "Vulnerabili¬ 
ties  and  Manipulation  of  the  International 
Information  SuperHighway." 

•  4th  Annual  ARPA  Networking  Principal 
Investigators  Meeting  (Santa  Fe,  New 
Mexico  in  September).  A  CERT  staff  mem¬ 
ber  spoke  on  the  CERT  Coordination  Cen¬ 
ter  and  Internet  security. 

This  quarter,  CERT  received  1,490  e-mail 
messages  and  774  hotline  calls  requesting 
information  or  reporting  computer  security 
incidents. 
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■  Software  Engineering  Institute  ■ 


Program  Development 


The  vision  of  the  Program  Development 
Division  (PDD)  is  to  serve  customer  needs  by 
being  the  voice  of  the  customer  to  the  Soft¬ 
ware  Engineering  Institute  (SEI)  and  the 
voice  of  the  SEI  to  the  customer.  The  PDD 
mission  is  to  understand  the  key  require¬ 
ments  of  SEI  customers,  translate  these  into 
responsive  SEI  program  specifications  consis¬ 
tent  with  the  SEI  mission,  and  facilitate  the 
effective  transition  of  best  software  engineer¬ 
ing  practice  into  use. 

PDD  accelerates  the  transition  of  new  SEI 
software  technologies  and  methods  by  dis¬ 
seminating  information,  providing 
mechanisms  for  collaboration  and  technol¬ 
ogy  exchange,  and  offering  customers  the 
opportunity  to  participate  in  technical  inter¬ 
change  meetings,  workshops,  and 
educational  offerings.  Efforts  used  to  facili¬ 
tate  this  transition  include  the  Customer 
Relations  information  line,  the  subscriber 
program,  the  resident  affiliate  program,  dis¬ 
tribution  partners,  and  events  such  as  the 
annual  SEI  Software  Engineering  Sympo¬ 
sium  and  Visitor's  Days.  The  focus  of  the  SEI 
subscriber  program  is  to  keep  individuals 
abreast  of  current  SEI  course  offerings,  initia¬ 
tives,  products,  and  events.  Since  its 
inception  in  1992,  the  program  continues  to 
show  its  commitment  to  the  transfer  of  soft¬ 
ware  engineering  technology  to  SEI 
customers. 


Subscribers  currently  receive: 

•  A  subscription  to  Bridge  quarterly  maga¬ 
zine.  Through  Bridge,  subscribers  learn 
about  SEI  technical  work,  products,  and 
services  as  well  as  customer  experiences 
in  transitioning  technology. 

•  The  Annual  Technical  Review,  which  is  a 
compendium  of  key  technical  work  that 
the  SEI  performed  within  a  given  year. 

•  Advance  notice  of  newly  released  SEI 
publications. 

•  A  10%  discount  on  SEI  technical  reports 
through  Research  Access  Incorporated. 

•  Early  notification  of  SEI  conferences  and 
events. 

•  A  substantial  discount  at  the  annual  SEI 
Software  Engineering  Symposium. 

•  A  complimentary  copy  of  Key  Practices  of 
the  Capability  Maturity  Model,  Version  1.2 
and  the  Capability  Maturity  Model  for  Soft¬ 
ware,  Version  1.1. 

The  $100  annual  program  fee  covers  the 
entire  year  from  the  date  that  the  subscription 
is  activated.  The  fee  is  subject  to  change. 
Department  of  Defense  customers  receive 
complimentary  subscriptions.  The  program 
works  on  an  individual  basis  and  is  extended 
to  those  with  a  U.S.  mailing  address.  Ques¬ 
tions  about  SEI  work  or  the  subscriber 
program  should  be  directed  to  Customer 
Relations  (see  page  35  for  contact 
information). 
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Visitor's  Day  is  hosted  by  the  SEI  three  times 
a  year  to  familiarize  software  practitioners, 
managers,  and  educators  with  the  SEI.  The 
next  Visitor's  Day  will  take  place  on  10 
November.  Visitors  must  preregister;  walk- 
ins  will  not  be  accommodated.  Registration 
forms  are  available  from  Customer  Relations 
(see  page  35  for  more  information). 

The  SEI  hosted  its  annual  Software  Engineer¬ 
ing  Symposium  on  22-25  August  1994  in 
Pittsburgh.  Since  this  is  the  ten-year  anniver¬ 
sary  of  the  existence  of  the  SEI,  the  theme  for 
the  symposium  was  "10  Years  of  Improving 
the  State  of  the  Practice."  This  year's  keynote 
speakers  looked  back  on  the  past  10  years  and 
forward  to  the  next  5-10  years  and  discussed 
relevant  issues  in  terms  of  the  state  of  soft¬ 
ware  engineering  practice.  As  in  the  past  two 
years  of  the  Symposium,  there  were  dozens 
of  exhibition  booths,  including  ones  from 
organizations  who  are  commercializing  tech¬ 
nology  developed  at  the  SEI. 

Invited  speakers  at  the  Symposium  included: 

•  William  F.  (Hank)  Hayes,  Executive  Vice 
President  of  Texas  Instruments 

•  John  Major,  Senior  Vice  President  of 
Motorola 

•  Robert  Mehrabian,  President  of  Carnegie 
Mellon 

•  Emmett  Paige,  Assistant  Secretary  of 
Department  of  Defense 

•  William  Valentine,  Xerox 

Frank  McGarry  spoke  on  behalf  of  his  team  at 
the  NASA  Software  Engineering  Laboratory, 
which  was  selected  as  the  first  recipient  of  the 
IEEE/SEI  Award  for  Software  Process 
Achievement. 


An  article  about  the  Symposium  will  be  pub¬ 
lished  in  the  October  1994  edition  of  Carnegie 
Mellon  Nezvs. 

As  of  30  September  1994,  the  organizations 
listed  in  Table  1  have  active  technical  collabo¬ 
ration  agreements  with  the  SEI.  A  technical 
collaboration  is  a  fixed-duration,  well- 
defined  collaborative  relationship  between 
one  or  more  SEI  projects  and  one  or  more 
industry  partners.  This  form  of  collaboration 
involves  a  mutual  commitment  of  resources 
to  generate  a  demonstrable  product. 

The  SEI  has  signed  strategic  collaboration 
agreements  with  4  strategic  partners  as  of  30 
September.  A  strategic  collaboration  is  a  long¬ 
term,  corporate-level  relationship  between 
the  SEI  and  an  industry  organization.  The 
relationship  is  characterized  by  a  mutual 
statement  of  strategic  intent  and  goals,  and 
by  the  existence  of  a  historical,  multi-year 
association  through  resident  affiliate  spon¬ 
sorship,  masters  of  software  engineering 
sponsorship,  or  several  technical  or  other 
forms  of  collaboration.  The  current  strategic 
partners  are  listed  in  Table  2. 

The  organizations  in  Tables  3-4  sponsored 
resident  affiliates  during  the  third  quarter  of 
1994. 

The  SEI  serves  as  a  point  of  contact  for  current 
and  emerging  Software  Process  Improve¬ 
ment  Network  (SPIN)  organizations. 
Through  participation  in  SPINs,  people  tap 
into  existing  SPIN  organizations  and  learn 
how  to  start  a  SPIN  in  a  new  geographic  loca¬ 
tion.  The  locations  listed  in  Tables  5-6  have 
active  SPIN  organizations. 
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As  of  30  September,  the  organizations  listed 
in  Table  7  have  active  Technical  Objectives 
and  Plans  (TO&P)  agreements  with  the  SEI. 
These  customers  provide  the  SEI  with  fund¬ 
ing  to  support  specific  technical  activities  that 
facilitate  the  transition  of  promising  software 
engineering  technology  into  practice. 


Table  1 

Organizations  with  current 
Technical  Collaboration 
Agreements 


Applied  Software  Engineering  Centre, 
Canada 

Bell  Northern  Research 
Computer  Sciences  Corporation 
Federal  Express 
Ford 

Harris  Corporation  _ 

Hewlett-Packard  Corporation 

Hughes  _ 

Loral  Federal  Systems 
Master  Systems,  Inc. 

Motorola 


Science  Applications  International  Corp. 

SETACorp.  _ 

Siemens  Corporate  Research 

Software  Productivity  Consortium _ 

Texas  Instruments 

Universidad  Politecnica  de  Madrid  (Spain) 

University  of  Southern  California  Center 
for  Software  Engineering _ 

USWest  Technologies,  Inc. 

Westinghouse 


Table  2 

Strategic  Partners 


Hewlett  Packard 
Hughes  Aircraft 


Loral  Federal  Systems 
Texas  Instruments 


Table  3 

Industry  Affiliates 


Bell  Northern  Research 
Computer  Sciences  Corporation 
GTE  Government  Systems 
Hughes  Aircraft  Company _ 


SEMATECH 


Texas  Instruments 


Unisys  CARDS 
Wilcox  Electric 
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Table  4 

Government  Affiliates 


Table  5 

Domestic  locations  that  have 
active  SPIN  organizations 


Table  6 

International  locations  that  have 
active  SPIN  organizations 


Defense  Logistics  Agency 

Nuclear  Regulatory  Commission 

Electronic  Systems  Center,  USAF 

United  States  Military  Academy 

National  Security  Agency 

Huntsville,  Alabama 

St.  Louis,  Missouri 

Phoenix,  Arizona 

Omaha,  Nebraska 

Tucson,  Arizona 

Northern  New  Jersey 

Bay  Area  (Northern  California) 

Albuquerque,  New  Mexico 

Los  Angeles,  California 

Cleveland,  Ohio 

Silicon  Valley,  California 

Pittsburgh,  Pennsylvania 

Southern  California 

Austin,  Texas 

Colorado  (Front  Range  area) 

Dallas/Fort  Worth,  Texas 

Washington,  D.C. 

Hampton  Roads,  Virginia 

Boston,  Massachusetts 

Seattle,  Washington 

Chicago,  Illinois 

Southeast  Wisconsin 

Victoria,  Australia 

The  Netherlands 

Montreal,  Canada 

Bizkaiaa,  Spain 

France 

Madrid,  Spain 

Bangalore,  India 

United  Kingdom 
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Table  7 

Organizations  with  TO&P 
agreements  with  the  SEI 


Air  Force 

Air  Force  Communications  Command  (AFCC) 

Air  Force  Materiel  Command  (AFMC) 

Air  Force  Space  Command  (AFSPACECOM) 

Air  Staff  Automation  Support 

Electronic  Systems  Center  (ESC) 

Navy 

Marine  Corps  Tactical  Systems  Support  Agency  (MCTSSA) 

Navy  Supply  Systems  Command  (NAVSUP) 

Naval  Surface  Warfare  Center  (NSWC) 

Naval  Oceanic  Office  (NAVOCEANO) 

Office  of  Naval  Research  (ONR) 

Program  manager  (Aircraft)  (PMA)  264 

Program  Manager  (Aircraft)  (PMA)  271 

Program  Executive  Officers  (A)  (PEO  (A)) 

Space  and  Naval  Warfare  Systems  Command  (SPAWAR) 

Army 

Army  Materiel  Command  (AMC) 

Corps  of  Engineers 

Stimulation,  Training,  and  Instrumentation  Command  (STRICOM) 

Joint  Agencies 

Ada  Joint  Program  Office  (AJPO) 

Advanced  Projects  Research  Agency  (ARPA) 

Ballistic  Missile  Defense  Organization  (BMDO) 

Defense  Financial  Accounting  Systems  (DFAS) 

Defense  Information  Systems  Agency  (DISA) 

Defense  Mapping  Agency  (DMA) 

National  Security  Agency  (NSA) 

Office  of  the  Secretary  of  Defense  (OSD) 

Federal  Agencies 

Federal  Aviation  Administration  (FAA) 

Financial  Management  Service  (FMS) 

National  Institute  of  Standards  and  Technology  (NIST) 

National  Oceanographic  and  Atmospheric  Sciences  Agency  (NOAA) 

U.S.  Coast  Guard 

Federal 

Laboratories 

Sandia  National  Lab 

3Q94  33  ■ 


34  Program  Development 


■  Software  Engineering  Institute  ■ 


Additional  Information 


B  How  to  Obtain  Hardcopies  of 
SEI  Documents 

For  information  about  purchasing  hard¬ 
copies  of  Software  Engineering  Institute  (SEI) 
publications,  contact  one  of  the  following 
organizations: 

RAI  Research  Access  Inc. 

800  Vinial  Street 
Pittsburgh,  PA  15212 
Telephone:  1-800-685-6510 
FAX:  (412)682-2994 


B  How  to  Obtain  Electronic  Copies 
of  SEI  Documents 

Some— not  all— SEI  documents  are  available 
electronically,  via  anonymous  file  transfer 
protocol  and  through  the  SEI  Mosaic  page 
(www.  sei .  emu .  edu).  Send  electronic  mail  to 
inf o-manage@sei .  emu .  edu  for  additional 
information.  Be  certain  to  include  your  tele¬ 
phone  number  in  the  event  that  we  have  dif¬ 
ficulty  contacting  you  by  return  electronic 
mail. 


NITS  National  Technical  Information  Service 
U.S.  Department  of  Commerce 
Springfield,  VA  22161-2103 
Telephone:  (703)487-4600 


DnC  Defense  Technical  Information  Center 
ATTN:  FDRA  Cameron  Station 
Alexandria,  VA  22304-6145 
Telephone:  (703)274-7633 


B  How  to  Get  Additional  Information 
About  the  SEI 

For  information  about  the  subscriber  pro¬ 
gram  and  other  SEI  offerings,  contact: 

The  Software  Engineering  Institute 
ATTN:  Customer  Relations 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213-3890 
(412)  268-5800 

Internet:  customer-relations@sei .  errtu .  edu 
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